Why digital security reporting is important for UK-listed companies.

As the reliance on technology grows, so does the vulnerability of organisations to various types of attack, which have demonstrable impact on the operations, finances, and reputation of a company, leaving them with no choice but to address the issue. As a result of this ever-increasing risk and increasingly sophisticated means of cyberattacks, governments around the world have proposed adding digital security risk assessments and resilience disclosures to regulatory requirements. 

The accelerated pace of digital transformation has also played a significant role in the push for greater disclosure, as businesses increasingly rely on technology for their success and resilience. So, what backs up these latest actions and activities? The statistics reveal a concerning reality. The Cybersecurity Breaches Survey 2022 showed that 39% of UK businesses reported experiencing cyberattacks within the last year, with 83% of these attacks being phishing attempts. However, it is worth noting that under-reporting of attacks may be prevalent among less mature organisations in this space. Beyond phishing, sophisticated attacks such as denial of service, malware and ransomware pose serious risks. Ransomware has emerged as a significant concern, as it can severely impact an organisation’s operations. Most law enforcement agencies do not recommend paying out, so 56% of businesses have adopted this as policy, which further complicates the response to such attacks.

The frequency and impact of cyberattacks cannot be underestimated. One-in-five businesses and charities have experienced negative outcomes, while almost four-in-ten charities have faced at least one adverse consequence with the associated costs reaching significant figures. An average estimate of these costs in 2022 was £4,200, but this jumps significantly to £19,400 when considering only medium and large businesses. In some cases, these figures could be significantly higher. It should also be noted that the lack of frameworks for financial impacts of attacks could lead to under-reporting in this space. Despite government guidance emphasising cybersecurity and the importance of maintaining good cyber hygiene, as well as 82% of boards or senior management prioritising cybersecurity, many organisations are failing to take sufficient action. Only 49% of businesses, and 39% of charities, have implemented at least five of the ten components outlined in the government's guidance “10 Steps to Cybersecurity”.

The prevalence of cyberattacks is increasing, posing a growing threat to businesses. Within self-reported cyberattacks, 31% of businesses and 26% of charities estimate they were attacked at least once a week. To add to the complexities, limited understanding among board members often result in the assessment of risk being outsourced to external providers or insurance companies. Larger organisations, generally, exhibit stronger cybersecurity measures due to increased funding and expertise. However, smaller organisations still rely on external suppliers for their IT and cybersecurity, with only 13% of businesses assessing the risks posed by their immediate suppliers. Furthermore, incident management policies are lacking, with only 19% of businesses having a formal incident response plan. 

The biggest, and perhaps most unsurprising, statistic of all is that nearly 90% of all cybersecurity incidents are due to human error or behaviour, further highlighting that cybersecurity isn’t just a small problem that can be tackled alone by a committee or even a board, It’s imperative that all members of the organisation participate in comprehensive training and fully understand the risks and implications of an attack and how to respond.

2022 saw attacks on larger organisations that could be considered as cybersecurity leaders, such as a misconfiguration in Microsoft systems resulting in data leaks for over 65,000 organisations worldwide. This incident emphasised the importance of implementing robust security configurations to safeguard sensitive customer information. The breach exposed business transaction data and other critical information, making it valuable for potential fraud and social engineering attempts. 

Businesses tend to adopt a reactive approach to breaches, informing the board and evaluating the attack after it has occurred. Considering the escalating threat of cyberattacks, it is evident that businesses must take proactive measures to safeguard themselves. Incorporating digital security topics and themes into their annual reports, including it in areas such as the business model, strategy, ESG and risk, is crucial.

As we explore key developments in digital security during 2022, it’s clear that cybersecurity extends beyond businesses and charities, with Russian cyberattacks on Ukraine highlighting critical infrastructure vulnerabilities and underscoring the extent of cyberwarfare capabilities employed by state actors. This conflict has also led to an upsurge in attacks on European energy providers. A German energy giant, Markcard and Balls, fell victim to an attack attributed to a Russian-linked threat group, leading to the closure of over 200 fuel stations. Similar attacks targeted energy firms across Germany, Luxembourg, Italy, India, and the oil refining hub in Amsterdam, causing disruptions in the global supply chain and critical industries. These attacks have showcased the extent of cyberwarfare capabilities, particularly in disrupting communication and satellite networks. Understanding the strategies employed by state actors such as Russia helps anticipate potential threats from other nations, such as China, Iran, and North Korea, as well as aspiring cybercriminal groups.

Ransomware attacks and supply chain breaches have become major concerns, with high-profile incidents demonstrating the potential for widespread disruption caused by these operations. An attack by the Conte ransomware group on Costa Rica, which led to a state of national emergency, highlighted the potential for largescale disruption caused by ransomware operations. Additionally, the Lapis supply chain attack, which targeted high-profile organisations, demonstrated the far-reaching impact of compromised third-party suppliers. These attacks, paired with current intensified geopolitical tensions, add to the digital risk, and further emphasise the need for robust security measures to safeguard sensitive information. 

As we examine the statistics and developments, it becomes evident that businesses must prioritise digital security. Implementing comprehensive reporting mechanisms that cover essential areas such as business models, strategies, ESG, risk management, and governance, is crucial. By effectively communicating the risks faced and the strategies in place to manage them, organisations can foster trust with stakeholders and demonstrate their unwavering commitment to protecting their business and customers. This has, inevitably, resulted in evolving stakeholder demands around digital and data security, and has made these issues relevant to the wider ESG debate.

Businesses must prioritise digital security, adopting comprehensive reporting mechanisms to communicate risks and strategies effectively. By doing so, organisations can build trust with stakeholders, navigate evolving stakeholder demands, and demonstrate unwavering commitment to safeguarding their business and customers in the face of escalating cyber threats.

To further assist you on this journey, we've prepared a comprehensive Digital Security Reporting Guide. Within the guide you will find information on different threats, frameworks, effective ways to communicate, and best-in-class examples among others. Sign up to get your copy today.